Pentest
This section documents the steps taken to give pentesters access to the staging
Steps Taken
1. Created Kali Linux EC2 Instance (Sandbox AWS Account)
- Created an ec2 instance called
pentest-kali-stagingwith- AMI:
debian-kali-last-snapshot... - Instance type:
t3.medium - Keypair: None
- VPC:
main - Subnet:
main-private-c - Security group: no ingress
- Storage: 50gb gp3
- IAM role:
ec2-ssm-role(single managed policy attachedAmazonSSMManagedInstanceCore) - User data:
- AMI:
#!/bin/bash
apt-get update -y
apt-get install -y curl
# Download SSM agent from AWS
curl -o /tmp/amazon-ssm-agent.deb https://s3.eu-west-2.amazonaws.com/amazon-ssm-eu-west-2/latest/debian_amd64/amazon-ssm-agent.deb
# Install it
dpkg -i /tmp/amazon-ssm-agent.deb || apt-get install -f -y
# Enable + start service
systemctl enable amazon-ssm-agent
systemctl start amazon-ssm-agent
2. Created Identity Center User (IAM AWS Account)
- Created a new user with pentester’s email, enforced MFA in IAM Identity Center
- Skipped group assignment (use direct permissions instead)
- Enabled email invitation flow (password/MFA set by the user)
3. Created SecurityAudit Permission Set (IAM AWS Account)
- Created a new permission set
Pentest-SecurityAudit - Attached single AWS managed policy
SecurityAudit - Set session duration to 4 hours
3. Created SSM Access Permission Set (IAM AWS Account)
- Created a new permission set
Pentest-SSM-Access -
- Set session duration to 4 hours
- Attached inline policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StartSessionToKaliOnly",
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": [
"arn:aws:ec2:eu-west-2:609902089584:instance/<INSTANCE ID FOR KALI LINUX INSTANCE PROVISIONED ABOVE>",
"arn:aws:ssm:eu-west-2::document/AWS-StartSSHSession",
"arn:aws:ssm:eu-west-2:609902089584:document/SSM-SessionManagerRunShell"
]
},
{
"Sid": "ManageOwnSessions",
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": "arn:aws:ssm:eu-west-2:609902089584:session/${aws:userid}-*"
},
{
"Sid": "DescribeForConsoleAndCli",
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceInformation",
"ec2:DescribeInstances"
],
"Resource": "*"
}
]
}
4. Give Kali Instance Access to K8S Cluster Group
-
Create dedicated Kali source SG
- Name: kali-pentest-source
- Description:
DORA TLPT - VPC:
vpc-052f788d2f3bde59d (staging main) - Inbound:
None - Outbound:
default (allow all)
-
Attach kali-pentest-source to the Kali instance
- Edit security groups for the kali instance and add kali-pentest-source while keeping any existing SGs attached
-
Add ingress rule on the EKS cluster SG
- Edit the
euw2-stag-k8s-clusterSG and add rule:- Type: All TCP
- Source: Custom → kali-pentest-source
- Description:
DORA TLPT
- Edit the
5. Assigned SecurityAudit Access
- Assigned pentester user directly to the IAM, Management, Sandbox and Tools AWS accounts
- Applied the newly created permission set
Pentest-SecurityAudit - Double checked no access granted to other accounts (prod, etc)
6. Assigned SSM Access
- Assigned
Pentest-SSM-Accesspermission set to the pentester user in the sandbox AWS account only
7. Validated Access
- Ran through the above with a test user
- To test access via ssm:
aws ssm start-session --region eu-west-2 --target <instance ID> --profile <test user aws profile>
- To test access via ssm:
- Confirmed staging kali instance is accessible via SSM
- Confirmed SecurityAudit access to IAM, Management, Sandbox and Tools accounts